Twitter launches two-factor authentication, too late to save The Onion

On the heels of the Syrian Electronic Army compromising a number of high-profile accounts—including those of the Associated Press, The Guardian, and The Onion—Twitter has introduced a two-factor authentication feature that should make such attacks more difficult. In a blog post today, Jim O'Leary of Twitter's security team announced the release of "login verification," an optional security measure that requires a verified phone number and e-mail address.

Twitter is a bit late to the two-factor authentication party. Word first spread that Twitter was working on a two-factor authentication scheme in February when the company advertised job openings for security engineers to develop "user-facing security features, such as multi-factor authentication and fraudulent login detection." Google has offered two-factor authentication since February of 2011, and Facebook introduced two-step login approval in May of 2011.

Like Google's two-factor authentication, Twitter's login verification sends a code via SMS to be entered to confirm login. But unlike Google's system, the code will be sent every time users sign in to Twitter through its website. This is the case even if it's from a computer or device that they've logged in from before. The phone has to be enrolled through Twitter's existing SMS service first—you have to text a code to Twitter to verify the phone first, which may not work with some phone carriers. The relationship between phones and accounts is also strictly one-to-one: if you have a shared business account, you're going to need to share a phone number too. If you have multiple accounts and only one phone number, you can only secure a single account.

There are some additional limitations to Twitter's scheme. Other mobile devices and applications (such as HootSuite and TweetDeck) will have to be configured individually as they're added, using a temporary password generated through Twitter's applications page to be authorized on first login. Unlike the RFC 6238 scheme used by Google, Facebook, and Microsoft, there's no way to use standard, generic authentication apps to generate time-based, one-time passwords. So if you can't get the SMS, you're out of luck. And unlike those systems, there's no facility to create persistent application-specific passwords.

Wait, EVERY time you log in it requires the two-factor check? Yeah, expect that to get turned off by everyone that uses Twitter frequently within a week, making it just as insecure as before.

Someone needs to apparently tell the Twitter security people that in order to get your security system to work, it has to be simple enough for people to actually use. A lock on a door is only effective if it's not so annoying that a person won't bother to use it.

The lack of RFC 6238 support is a deal breaker for me even though my operator is on the list. I just don't want to deal with having to deal with SMS when there are better alternatives out there. I mean heck, even my VPS running Debian has two-factor Auth via Google Authenticator enabled.

8 years ago I predicted that biometric identification would become essential eventually and I was told I sounded stupid.

I boldly reiterate the stupid-sounding prediction.

Again, you cannot swap out your fingerprints and eyes when they get compromised. Specialized personal auth devices in the form of RSA tokens or SMS messages are the way forward, possibly with some nfc variant moving the ball forward for a personal proximity authentication system.

8 years ago I predicted that biometric identification would become essential eventually and I was told I sounded stupid.

I boldly reiterate the stupid-sounding prediction.

Again, you cannot swap out your fingerprints and eyes when they get compromised. Specialized personal auth devices in the form of RSA tokens or SMS messages are the way forward, possibly with some nfc variant moving the ball forward for a personal proximity authentication system.

To be fair, if someone has stolen my eyes, I've got bigger problems than my Twitter account being hacked.

8 years ago I predicted that biometric identification would become essential eventually and I was told I sounded stupid.

I boldly reiterate the stupid-sounding prediction.

Again, you cannot swap out your fingerprints and eyes when they get compromised. Specialized personal auth devices in the form of RSA tokens or SMS messages are the way forward, possibly with some nfc variant moving the ball forward for a personal proximity authentication system.

To be fair, if someone has stolen my eyes, I've got bigger problems than my Twitter account being hacked.

You are missing the point that your eyes can be digitally replicated today. Someone just has to set up a camera at your home, get a high-res closeup of your eye, biometrics busted. Same thing for fingerprints.

By the way, thanks for mentioning Facebook follows RFC 6238. I didn't know, but I have it added to my Authenticator app now.

I managed to get it working with my Google Authenticator, but it was a bit of a pain. Most of that was faulty instructions for how to "activate" SMS on my phone. I had to text them (the letter "F" to a special phone #), but all the two-factor setup dialogs said they were going to text me, except I never got anything from them. I finally stumbled across the right SMS activation page after a few hours of frustration.

Also, it doesn't consider the iPhone app to be a separate entity, so it continues to use the standard username/password. I would have expected mobile apps to require a one-time app-specific password ala Google, but apparently they trust their apps enough. So now it only asks me for a code whenever I log in via a web page, which is rare.

Actually, I think Google's app-specific password policy is maybe unique. I don't think Dropbox does that either, though it asks you for a code when installing the client on a computer for the first time.

Turns out that while Google Voice normally does NOT allow SMS to short code numbers, it DOES work with Twitter's authentication. So I was able to set my Google Voice # as the phone with twitter. Setup has you send a SMS code to 40404, which surprisingly worked.

It's better than nothing even though the implementation is very poor. Only the SMS option is offered instead of offering a token based system which could be tied to an app like Duo or Google Auth like Dropbox.

8 years ago I predicted that biometric identification would become essential eventually and I was told I sounded stupid.

I boldly reiterate the stupid-sounding prediction.

Again, you cannot swap out your fingerprints and eyes when they get compromised. Specialized personal auth devices in the form of RSA tokens or SMS messages are the way forward, possibly with some nfc variant moving the ball forward for a personal proximity authentication system.

To be fair, if someone has stolen my eyes, I've got bigger problems than my Twitter account being hacked.

True, but with fingerprints, you are leaving your authentication on everything you touch...

8 years ago I predicted that biometric identification would become essential eventually and I was told I sounded stupid.

I boldly reiterate the stupid-sounding prediction.

Again, you cannot swap out your fingerprints and eyes when they get compromised. Specialized personal auth devices in the form of RSA tokens or SMS messages are the way forward, possibly with some nfc variant moving the ball forward for a personal proximity authentication system.

To be fair, if someone has stolen my eyes, I've got bigger problems than my Twitter account being hacked.

You are missing the point that your eyes can be digitally replicated today. Someone just has to set up a camera at your home, get a high-res closeup of your eye, biometrics busted. Same thing for fingerprints.

And you were missing the joke. I didn't say if someone had imaged my eyes (which is harder than you think, and won't be effective when the optical verification systems start using spectral analysis, retroreflection recog, 3-D imaging [multiple cameras], and/or dither pattern detection, and really, they should use at least two of those).

I said, if someone STOLE MY EYES then I've got more problems than not being able to log into Twitter. Because I've got no eyes!

It is time for a commenting chill pill. To quote from the linked twitblog:"However, much of the server-side engineering work required to ship this feature has cleared the way for us to deliver more account security enhancements in the future. Stay tuned."

So what we get today is the initial quickest 2nd factor they could QA and push out there. It is a valid 2 factor that is part of many other outfit's 2 factor scheme. Just not the best.

Presumably this means we get more 2nd factors soon to the point that it is universally usable. For me that means using Google Authenticator on my iPhone. Also, someone pressure Google to make that thing more multi-use friendly. Its getting crowded!

There's still the very real problem that SMS is not free for a lot of people on low-cost cell plans. I'm one of those dinosaurs that still has a landline (for various reasons I won't go into) and my cell just doesn't get used enough to justify anything other than a bare-bones prepaid plan. There is simply no way I'm going to turn on 2-factor authentication if it costs me $0.25 every time I want to login.

I don't understand why they won't offer the option of a spoken authentication token sent to my landline. They could even offer an option where they encode it into the caller ID and just disconnect after two rings ensuring it costs nothing.

sounds like they want to Authenticate the user of the twitter account, meaning if "katy parry" has used her twitter account it was send by her Definitely... (or by a person Designated as her "twitter" typer)...

meaning that only one person can send using that account...

TL;DR... More to authenticate the person sending the "twiiter" , then to prevent hacking...

8 years ago I predicted that biometric identification would become essential eventually and I was told I sounded stupid.

I boldly reiterate the stupid-sounding prediction.

Again, you cannot swap out your fingerprints and eyes when they get compromised. Specialized personal auth devices in the form of RSA tokens or SMS messages are the way forward, possibly with some nfc variant moving the ball forward for a personal proximity authentication system.

You don't want Biometrics.

If your ID is your fingers and your eyes, it becomes legal under the laws of war to rip out your eyes and chop of your fingers or your hand to get access to a computer for military reasons.

By the way, thanks for mentioning Facebook follows RFC 6238. I didn't know, but I have it added to my Authenticator app now.

I managed to get it working with my Google Authenticator, but it was a bit of a pain. Most of that was faulty instructions for how to "activate" SMS on my phone. I had to text them (the letter "F" to a special phone #), but all the two-factor setup dialogs said they were going to text me, except I never got anything from them. I finally stumbled across the right SMS activation page after a few hours of frustration.

Also, it doesn't consider the iPhone app to be a separate entity, so it continues to use the standard username/password. I would have expected mobile apps to require a one-time app-specific password ala Google, but apparently they trust their apps enough. So now it only asks me for a code whenever I log in via a web page, which is rare.

Actually, I think Google's app-specific password policy is maybe unique. I don't think Dropbox does that either, though it asks you for a code when installing the client on a computer for the first time.

Your iPhone is totally unprotected. You can't even log out of the Twitter app on your iPhone. So if your phone is lost or stolen, the culprit can tweet from your account. Just providing 2-factor for the Twitter Web site is a huge fail.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.